First Read of India's Draft Data Protection Act 2021

Privacy update from India: Here’s a link to a leaked version of the long awaited report of the Joint Parliamentary Committee on India’s Personal Data Protection Bill, 2021. The statutory text begins on page 168. It’s massive and will be massively influential. https://documentcloud.adobe.com/link/review?uri=urn:aaid:scds:US:f030ad33-879d-4127-870a-9f055fbe2644

Here's a quick read of interesting provisions:

Perhaps shocking to many, the law will apply to not only personal but also *non personal data*. But – and it’s a big but – obligations for non-personal data are limited to mainly breach notification. For the thinking around this see section 1.15.8 in the JPC report.

After being passed, the law will provide a 24 month implementation period.

The law sets up the Data Protection Authority of India, including a long list of provisions about its structure, appointment, powers, budget and more. (Art 41-56). It’s clear that this agency will be a major player on the global data protection stage.

Extraterritorial effect: Like other data protection laws, namely GDPR and China’s recent PIPL, the law will apply to companies outside India doing business in India or monitoring information of Indian individuals.

Definitions 1: The law introduces interesting terms and definitions. A controller is called a “data fiduciary” (Sen. Schatz rejoice!). A data subject is a “data principal” (nice empowering touch).

Definitions 2: A child is anyone under 18. “Non-personal data” is “data other than personal data”. Sensitive data includes “transgender status” and “intersex status” (both of these terms are defined in detail). And the law introduces the term “consent manager”.

Definitions 3: The law defines “harm” to include, for example, “any discriminatory treatment;” “any observation or surveillance that is not reasonably expected by the data principal;” and “psychological manipulation which impairs the autonomy of the individual”.

The law provides broad – I’d say nearly limitless – exemptions for the government and organs of the state. (See Art 12(a), 35)

In a protectionist gesture to India’s surging outsourcing industry, the law enables the government to exempt data processors who are hired by foreign controllers to process foreign data in India. (Art 37).

In addition to consent (clearly – and strictly defined), the law allows for legitimate interest processing. However, it specifies in detail how controller/individual interests must be balanced; and what some legitimate interest activities are (Art 14(2)).

The law recognizes and sets up posthumous privacy rights (Art 17(4)).

The law requires every controller to have a “Privacy by design policy” (essentially an organizational privacy policy), and allows controllers to submit the policy to the regulator for “certification” (Art 22(2)). ?

Data breach notification period is 72 hours. (Art 25(3))

Cross border data flows are restricted in two cases: sensitive data may be transferred but a copy must be stored in India; and “critical personal data” may be transferred only with government approval in very limited circumstances (Art 33-34). ?

“Critical personal data” means “such personal data as may be notified by the Central Government to be the critical personal data.” One condition for transfer is: “sensitive data shall not be shared with any foreign government unless such sharing is approved by the Central Government”

Where allowed, data transfers must be made with explicit consent and subject to “a contract or intra-group scheme approved by the Authority in consultation with the Central Government”.

Art 26 defines “significant data fiduciaries” according to volume and sensitivity of data processed, annual turnover, risk profile and use of new processing technologies. Social media platforms are ipso facto included in this category.

Significant data fiduciaries are subject to many additional obligations. For example, they must register with the DPA (Art 26(2)), conduct DPIAs (Art 27), maintain records of processing (Art 28), undergo outside audits annually (Art 29) and – importantly – appoint a DPO (Art 30). ?

A DPO must be “a key managerial personnel” defined as “the CEO; company secretary; whole-time director; CFO; or such other personnel as may be prescribed”. (Art 30(g)). The DPO must be based in India.

The law provides individuals with a private right of action and even sets up the option to bring representative actions. (Art 65(1)-(2)).

Unlawfully re-identifying de-identified data is classified as a serious criminal offence carrying penalties of up to three years imprisonment! (Art 83).